In the Claims: 

1. (Currently amended) A method for providing access management through 
use of a plurality of server machines associated with different locations, said method 
comprising the acts of: 

(a) receiving, at a first server machine of the plurality of server machines, an 
access request to access secure items from a user of a first client machine at a first 
location; 

(b) authenticating the user of the first client machine at the first location; 

(c) authenticating the first client machine; 

(d) determining whether the user is permitted to gain access to secure items 
via the first location when said authenticating (b) and (c) are successful; 

(e) permitting the user to gain access to secure items via the first server 
machine when said determining (d) determines that the user is permitted to gain 
access to secure items from the first location; and 

(f) preventing the user to gain access to secure items via the first server 
machine when said determining (e) (d) determines that the user is not permitted to 
gain access to secure items from the first location. 

2. (Original) A method as recited in claim 1, wherein said determining (d) 
comprises: 

(dl) obtaining access privileges associated with the user to determine at least 
permitted locations for the user; and 

(d2) determining whether the user is permitted to gain access to secure items 
from the first location based on the permitted locations associated with the user. . 
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3. (Original) A method as recited in claiml, wherein, when permitted by said 
permitting (e), the user gains access to secure items from the first location via the 
first client machine and the first server machine. 

4. (Original) A method as recited in claim 1, wherein, when permitted by said 
permitting (e), the user gains access to secure items from the first location via the 
first client machine and the first server machine. 

5. (Original) A method as recited in claim 1, wherein said method comprises the 
acts of: 

(g) preventing the user from gaining access to secure items via any of the 
server machines other than the first server machine when said determining (d) 
determines that the user is permitted to gain access to secure items from the first 
location. 

6. (Original) A method as recited in claim 1, 

wherein said determining (d) comprises determining whether the user is 
permitted to gain access to secure items via the first client machine and the first 
server machine, and 

wherein said permitting (e) operates to permit the user to gain access to 
secure items via the first client machine and the first server machine when said 
determining (d) determines that the user is permitted to gain access to secure items 
via both the first client machine and the first server machine. 

7. (Original) A method as recited in claim 1, 



3 



PA2903US 



wherein said determining (d) comprises determining whether the user is 
permitted to gain access to secure items via the first server machine, and 

wherein said permitting (e) operates to permit the user to gain access to 
secure items via the first server machine when said determining (d) determines that 
the user is permitted to gain access to secure items via the first server machine. 

8. (Original) A method as recited in claim 1, 

wherein said determining (d) comprises determining whether the user is 
permitted to gain access to secure items via the first client machine, and 

wherein said permitting (e) operates to permit the user to gain access to 
secure items via the first client machine when said determining (d) determines that 
the user is permitted to gain access to secure items via the first client machine. 

9. (Original) A method as recited in claim 1, wherein said method comprises the 
acts of: 

(g) preventing the user from gaining access to secure items via any of the 
server machines other than the first server machine when said determining (d) 
determines that the user is permitted to gain access to secure items from the first 
location. 

I 

10. (Original) A method as recited in claim 9, wherein said preventing (g) of the 
user to gain access to secure items via any of the other server machines comprises 
reconfiguring at least any of the other server machines that previously permitted the 
user to gain access to secure items therethrough. 



4 



PA2903US 



11. (Original) A method as recited in claim 10, wherein said permitting (e) of the 
user to gain access to secure items via the first server machine comprises 
reconfiguring the first server machine to permit access by the user to secured items 
via the first server machine. 

12. (Original) A method as recited in claim 11, wherein said determining (d) 
comprises: 

(dl) obtaining access privileges associated with the user to determine at least 
permitted locations for the user; and 

(d2) determining whether the user is permitted to gain access to secure items 
from the first location based on the permitted locations associated with the user. 

13. (Original) A method as recited in claim 1, wherein said permitting (e) of the 
user to gain access to secure items via the first server machine comprises 
reconfiguring the first server machine to permit access by the user to secured items 
via the first server machine. 

14. (Original) A method as recited in claim 1, wherein each of the secure items is 
a secured file, the secured file having a format that comprises a header including 
security information as to who and how the secure item can be accessed; an 
encrypted data portion including data of the secure file encrypted with a file key 
according to a predetermined cipher scheme, and wherein the header is attached to 
the encrypted data portion to generate the secured file. 



15. (Original) A method as recited in claim 14, wherein the security information 
in the header of the secured file facilitates the restricted access to the secured file. 
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16. (Original) A method as recited in claim 15, wherein the security information 
in the header of the secured file points to or includes the access rules and a file key. 

17. (Original) A method as recited in claim 14, wherein the security information 
is encrypted ' with a user key associated with a user. 

18. (Original) A method as recited in claim 14, wherein the security information 
includes the file key and access rules to the restricted access to the secured file. 

19. (Original) A method as recited in claim 18, wherein the file key is retrieved to 
decrypt the encrypted data portion in the secured file when access privilege of the 
user is within access permissions by the access rules. 

20. (Original) A method as recited in claim 18, wherein the access rules are 
expressed in a markup language. 

21. (Original) A method for providing access management through use of a 
distributed network of server machines/said method comprising the acts of: 

(a) receiving, at first server machine of the plurality of server machines, an 
access request to access secure items from a user of a first client machine; 

(b) authenticating the user of the client machine; 

(c) authenticating the first client machine; 

(d) retrieving access privileges associated with the user; 
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(e) determining whether the user is permitted to gain access to secure items 
via the first server machine based on the access privileges when said authenticating 
(b) and (c) are successful; 

(f) permitting the user to gain access to secure items via the first server 
machine when said determining (e) determines that the user is permitted to gain 
access to secure items via the first server machine; and 

(g) preventing the user to gain access to secure items via the first server 
machine when said determining (e) determines that the user is not permitted to gain 
access to secure items via the first server machine. 

22. (Original) A method as recited in claim 21, wherein said method comprises 
the acts pf: 

(h) preventing the user from gaining access to secure items via any of the 
server machines other than the first server machine when said determining (e) 
determines that the user is permitted to gain access to secure items via the first 
server machine. 

23. (Original) A method as recited in claim 21, 

wherein said determining (e) further determines whether the user is 
permitted to gain access to secure items via the first client machine, and 

wherein said permitting (f) operates to permit the user to gain access to secure 
items via the first client machine and the first server machine when said determining 
(e) determines that the user is permitted to gain access to secure items via both the 
first client machine and the first server machine. 
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24. (Original) A method as recited in claim 23, wherein said method comprises 
the acts of: 

(h) preventing the user from gaining access to secure items via any of the 
server machines other than the first server machine when said determining (e) 
determines that the user is permitted to gain access to secure items via the first 
server machine. 

25. (Original) A method as recited in claim 24, wherein said preventing (h) of the 
user to gain access to secure items via any of the other server machines comprises 
reconfiguring at least any of the other server machines that previously permitted the 
user to gain access to secure items therethrough. 

26. (Original) A method as recited in claim 25, wherein said permitting (f) of the 
user to gain access to secure items via the first server machine comprises 
reconfiguring the first server machine to permit access by the user to secured items 
via the first server machine. 

27] (Original) A method as recited in claim 21, wherein said permitting (f) of the . 
user to gain access to secure items via the first server machine comprises 
reconfiguring the first server machine to permit access by the user to secured items 
via the first server machine. 

28. (Original) A method as recited in claim 21, wherein each of the secure items 
is a secured file, the secured file having a format that comprises a header including 
security information as to who and how the secure item can be accessed; an 
encrypted data portion including data of the secure file encrypted with a file key 
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according to a predetermined cipher scheme, and wherein the header is attached to 
the encrypted data portion to generate the secured file. 

29. (Original) A method as recited in claim 28, wherein the security information 
in the header of the secured file facilitates the restricted access to the secured file. 

30. (Original) A method as recited in claim 28, wherein the security information 
is encrypted with a user key associated with a user. 

i 

31. (Original) A method as recited in claim 28, wherein the security information 
includes the file key and access rules to the restricted access to the secured file. 

32. (Original) A method as recited in claim 28, wherein the file key is retrieved to 
decrypt the encrypted data portion in the secured file when access privilege of the 
user is within access permissions by the access rules. 

33. (Original) A method as recited in claim 31, wherein the access rules are 
expressed in a markup language. 

34. (Original) A computer readable medium including at least computer 
program code for providing access management to secured content through use of a 
plurality of server machines associated with different locations, said computer 
readable medium comprising: 

computer program code for receiving, at a first server machine of the plurality 
of server machines, an access request to access secured items from a user of a first 
client machine at a first location; 
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computer program code for authenticating the user of the first client machine 
at the first location; 

computer program code for authenticating the first client machine; computer 
program code for determining whether the user is permitted to gain access to 
secured items via the first location when said computer program code for 
authenticating the first client machine and the user are successful; 

computer program code for permitting the user to gain access to secured 
items via the first server machine when said computer program code for 
determining determines that the user is permitted to gain access to secured items 
from the first location; and 

computer program code for preventing the user to gain access to secured 
items via the first server machine when said computer program code for 
determining determines that the user is not permitted to gain access to secured items 
from the first location. 

35. (Original) A computer readable medium including at least computer 
program code for providing access management through use of a distributed 
network of server machines, said computer readable medium comprises: 

computer program code for receiving, at first server machine of the plurality 
of server machines, an access request to access secure items from a user of a first 
client machine; 

computer program code for authenticating the user of the client machine; 
computer program code for authenticating the first client machine; 
computer program code for retrieving access privileges associated with the 

user; 
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computer program code for determining whether the user is permitted to gain 
access to secure items via the first server machine based on the access privileges 
when said computer program code for authenticating the first client machine and the 
user are successful; 

computer program code for permitting the user to gain access to secure items 
via the first server machine when said computer program code for determining 
determines that the user is permitted to gain access to secure items via the first 
server machine; and 

computer program code for preventing the user to gain access to secure items 
via the first server machine when said computer program code for determining 
determines that the user is not permitted to gain access to secure items via the first 
server machine. 

36. (Previously presented) An access control system that restricts access to 
secured items, said system comprising: 

a central server having a server module that provides overall access control; 

and 

a plurality of local servers, each of said servers including a local module that 
provides local access control, 

wherein the access control, performed by said central server or said local 
servers, operates to permit or deny access requests to secured items by requestors, 
and 

wherein a given requestor, permitted to access secure items through one or 
more of said local servers, is only able to access secured items using only a single one 
of said local servers or the central server such that the given requestor can only 
access secured items through at most one of said local servers at a time. 
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37. (Original) An access control system as recited in claim 36, wherein said access 
control system couples to an enterprise network to restrict access to secured files 
stored therein. 

38. (Original) An access control system as recited in claim 37, wherein the access 
requests are at least primarily processed in a distributed manner by said local 
servers. 

39. (Currently Amended) An access control system as recited in claim 38, 
wherein when the access requests are processed by said local servers, the requestors 
gain access to the secured files without having to access said central server. 

40. (Original) An access control system as recited in claim 37, wherein the local 
module can be a copy of the server module so any of the local modules can operate 
independent of said central server and other of said local servers. 

41. (Original) An access control system as recited in claim 37, wherein the local 
module can be a subset of the server module. 

42. (Original) An access control system as recited in claim 37, wherein access 
permissions for said local servers can be dynamically configured to pass a requestor 
from one of said local servers to another of said local servers, thereby enabling access 
control to be performed by the another of said local servers such as when the 
location of the requestor changes. 
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43. (Previously presented) An access control system as recited in claim 37, 
wherein the secured files are secured by encryption of the files. 

44. (Original) An access control system as recited in claim 37, wherein the 
secured files are secured by encryption. 
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